Submit #829403: HKUDS nanobot <= 0.1.5.post3 Missing Origin Validation in WebSockets (CWE-1385)info

TitleHKUDS nanobot <= 0.1.5.post3 Missing Origin Validation in WebSockets (CWE-1385)
Description# Technical Details A Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in the `setupClient` method in `bridge/src/server.ts` of nanobot. The application fails to validate the Origin header during WebSocket handshakes when `BRIDGE_TOKEN` is unset, allowing untrusted cross-site connections. # Vulnerable Code File: bridge/src/server.ts Method: setupClient Why: The connection handler accepts any client connection without Origin validation when the optional `BRIDGE_TOKEN` is not configured, parsing and executing untrusted payload as bridge commands. # Reproduction 1. Ensure the victim is running Nanobot WhatsApp Bridge locally with `BRIDGE_TOKEN` unset (the default configuration). 2. Have the victim visit an attacker-controlled webpage containing a malicious WebSocket client. 3. The webpage connects to `ws://127.0.0.1:3001` and sends bridge commands (e.g., `send` or `send_media`). 4. The bridge processes the commands, bypassing origin trust boundaries. # Impact - Unauthorized local session control and message sending via the bridge. - Exposure of bridge-delivered WhatsApp events and QR flow metadata. - Abuse of the victim's active messaging context.
Source⚠️ https://gist.github.com/YLChen-007/023d2eb61c05dafc9bdc44a95938fe7a
User
 Eric-b (UID 96354)
Submission05/14/2026 07:13 (2 months ago)
Moderation06/14/2026 09:05 (1 month later)
StatusDuplicate
VulDB entry357650 [HKUDS nanobot up to 0.1.4 Bridge API bridge/src/server.ts BRIDGE_TOKEN missing origin validation in websockets]
Points0

Want to stay up to date on a daily basis?

Enable the mail alert feature now!